24f1c2a20833b1d6f88cb5e73513cc0f163e7c552db78fb783523fb3e1c3a75d

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

146KB
MD5

1784d03173fd273f9810be0a48f1f383
SHA1

b4354665152723b9fa6e31f07d155265a1d6e2f6
SHA256

03097f75904007de33f69ec77e02146fe2a0b3d3b2a923640677bb1f46815b07
SHA512

35dad75e13ab4363ee1495e304e58ec11f731da1f8e21ce9690cfd0cff7d77c50f8b9b5584208e315c8cbb71345401e6ffd771427690b2cffcb40b3ec78b7edb
SSDEEP

3072:nyPZHpVIYbQf91G3im/2Ef07Jysgk8vRFHoCj1advu07rr/b/V53SgvB+qMDDpvy:n2HpV+8vnvEu0Xrjt5igvy6Qijx3P

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Merlin_Recover.txt

Ransom Note

Your ID is: 5F03B352D4822F03 Q: How to contact us? A: Install session messenger from this link : https://getsession.org/download And chat with us. This is our sessions ID: 05752759728f65ca92b3d98fc72500cdb7c5b11eb7b17f7d8afc6b8ecdcbdedf6d OR Contact with these email addresses: [email protected] [email protected] [email protected] ** Make sure to include the ID in the first line of massages or subject of email, otherwise we won�t answer your massages. Q: What's Happened? A: Your files have been encrypted and now have the "Merlin" extension. The file structure has been changed to unreadable format, so they are inaccessible. Your critical information has been downloaded, including databases, financial/developmental, accounting, and strategic documents. Q: How to recover files? A: If you want to decrypt all of your data and return your systems to operative state, you require a decryption tool. We are the only ones who own it, and also, if you want your stolen data will be wiped out from our systems, you better contact us. Q: What about guarantees? A: we decrypt 2 non_important files under 5MB for free (they should not include sensitive information). We will decrypt them and send them back to you. They can be from different computers on your network to be sure that one key can decrypts your whole systems. That is our guarantee. It's just a business and we don't pursue any political objectives. We absolutely do not care about you and your data except the money and our reputation are the only things that matters to us. if we do not do our work and liabilities, nobody will cooperate with us which is not in our interests. Q: How will the decryption process proceed after payment? A: After payment, we will send you our decryption program + detailed instructions for use. With this program, you will be able to decrypt all your encrypted files. *** Important *** 1- certain files that were encrypted but not renamed to "Merlin" extension, they will also be recovered by the decryption tool. 2- If you want the decryption procedure to be effective, DO NOT delete or modify the encrypted files, it will cause issues with the decryption process. 3- Beware Any organization or individual who asserts they can decrypt your data without paying us should be avoided. They just deceive you and charge you much more money as a consequence; they all contact us and buy the decryption tool from us. Q: If you don't want to pay to us? A: it does not matter to us, but you have to accept its consequences: 1- Your data will be leaked for free on TOR darknet and your competitors can have access to your data. 2- We know exactly what vulnerabilities exist in your network and will inform google about them. The money we asked for is nothing compare to all of these damages to your business so we recommend you to pay the price and secure your business. If you pay we will give you tips for your security so it can�t be hacked in the future besides you will lose your time and data cause we are the only ones that have the private key. In practice - time is much more valuable t

Emails

[email protected]

URLs

https://getsession.org/download

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (10319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1452	Temp3.tmp

Loads dropped DLL 1 IoCs

pid	Process
1808	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	sample.exe
File opened (read-only)	\??\T:	sample.exe
File opened (read-only)	\??\V:	sample.exe
File opened (read-only)	\??\W:	sample.exe
File opened (read-only)	\??\Y:	sample.exe
File opened (read-only)	\??\S:	sample.exe
File opened (read-only)	\??\D:	sample.exe
File opened (read-only)	\??\N:	sample.exe
File opened (read-only)	\??\U:	sample.exe
File opened (read-only)	\??\G:	sample.exe
File opened (read-only)	\??\J:	sample.exe
File opened (read-only)	\??\Z:	sample.exe
File opened (read-only)	\??\F:	sample.exe
File opened (read-only)	\??\A:	sample.exe
File opened (read-only)	\??\P:	sample.exe
File opened (read-only)	\??\X:	sample.exe
File opened (read-only)	\??\H:	sample.exe
File opened (read-only)	\??\L:	sample.exe
File opened (read-only)	\??\R:	sample.exe
File opened (read-only)	\??\O:	sample.exe
File opened (read-only)	\??\B:	sample.exe
File opened (read-only)	\??\E:	sample.exe
File opened (read-only)	\??\I:	sample.exe
File opened (read-only)	\??\K:	sample.exe
File opened (read-only)	\??\M:	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar.Merlin	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\Merlin_Recover.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui.Merlin	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js	sample.exe
File opened for modification	C:\Program Files\EditSplit.emf	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01176_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png.Merlin	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.Merlin	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.Merlin	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF	sample.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png.Merlin	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SplashScreen.bmp.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Lima	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01173_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png.Merlin	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.Merlin	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF.Merlin	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	sample.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\Merlin_Recover.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx.Merlin	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	sample.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\Merlin_Recover.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png.Merlin	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2996	vssadmin.exe
1532	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2976	NOTEPAD.EXE
2548	NOTEPAD.EXE
2784	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe
2496	sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	sample.exe
Token: SeRestorePrivilege	2496	sample.exe
Token: SeBackupPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeAuditPrivilege	2496	sample.exe
Token: SeSecurityPrivilege	2496	sample.exe
Token: SeIncBasePriorityPrivilege	2496	sample.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe
Token: SeTakeOwnershipPrivilege	2496	sample.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2884	2496	sample.exe	29
PID 2496 wrote to memory of 2884	2496	sample.exe	29
PID 2496 wrote to memory of 2884	2496	sample.exe	29
PID 2496 wrote to memory of 2884	2496	sample.exe	29
PID 2496 wrote to memory of 1504	2496	sample.exe	31
PID 2496 wrote to memory of 1504	2496	sample.exe	31
PID 2496 wrote to memory of 1504	2496	sample.exe	31
PID 2496 wrote to memory of 1504	2496	sample.exe	31
PID 2884 wrote to memory of 2592	2884	cmd.exe	33
PID 2884 wrote to memory of 2592	2884	cmd.exe	33
PID 2884 wrote to memory of 2592	2884	cmd.exe	33
PID 2884 wrote to memory of 2592	2884	cmd.exe	33
PID 1504 wrote to memory of 2996	1504	cmd.exe	34
PID 1504 wrote to memory of 2996	1504	cmd.exe	34
PID 1504 wrote to memory of 2996	1504	cmd.exe	34
PID 2928 wrote to memory of 2976	2928	rundll32.exe	46
PID 2928 wrote to memory of 2976	2928	rundll32.exe	46
PID 2928 wrote to memory of 2976	2928	rundll32.exe	46
PID 2496 wrote to memory of 2292	2496	sample.exe	48
PID 2496 wrote to memory of 2292	2496	sample.exe	48
PID 2496 wrote to memory of 2292	2496	sample.exe	48
PID 2496 wrote to memory of 2292	2496	sample.exe	48
PID 2496 wrote to memory of 1808	2496	sample.exe	49
PID 2496 wrote to memory of 1808	2496	sample.exe	49
PID 2496 wrote to memory of 1808	2496	sample.exe	49
PID 2496 wrote to memory of 1808	2496	sample.exe	49
PID 2496 wrote to memory of 3040	2496	sample.exe	53
PID 2496 wrote to memory of 3040	2496	sample.exe	53
PID 2496 wrote to memory of 3040	2496	sample.exe	53
PID 2496 wrote to memory of 3040	2496	sample.exe	53
PID 3040 wrote to memory of 1236	3040	cmd.exe	54
PID 3040 wrote to memory of 1236	3040	cmd.exe	54
PID 3040 wrote to memory of 1236	3040	cmd.exe	54
PID 3040 wrote to memory of 1236	3040	cmd.exe	54
PID 1808 wrote to memory of 1452	1808	cmd.exe	55
PID 1808 wrote to memory of 1452	1808	cmd.exe	55
PID 1808 wrote to memory of 1452	1808	cmd.exe	55
PID 1808 wrote to memory of 1452	1808	cmd.exe	55
PID 2292 wrote to memory of 1532	2292	cmd.exe	56
PID 2292 wrote to memory of 1532	2292	cmd.exe	56
PID 2292 wrote to memory of 1532	2292	cmd.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Temp3.tmp"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
    C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
    3⤵
    - Executes dropped EXE
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
    3⤵
    PID:1236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Merlin_Recover.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2784

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1208

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2976

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\Merlin_Recover.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Merlin_Recover.txt

Filesize
3KB

MD5
64d1b77bb61544c8440363d4374c3c65

SHA1
2925f8f71c44185ceb93939c1dba343e1d77d6d6

SHA256
9d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1

SHA512
f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp3.tmp

Filesize
5KB

MD5
ab65af4349e7c5b0872c8b808d036980

SHA1
414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

SHA256
a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

SHA512
2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp3.tmp

Filesize
5KB

MD5
ab65af4349e7c5b0872c8b808d036980

SHA1
414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

SHA256
a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

SHA512
2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

Download Submit
C:\Users\Admin\Desktop\Merlin_Recover.txt

Filesize
3KB

MD5
64d1b77bb61544c8440363d4374c3c65

SHA1
2925f8f71c44185ceb93939c1dba343e1d77d6d6

SHA256
9d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1

SHA512
f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1

Download Submit
C:\Users\Admin\Pictures\Merlin_Recover.txt

Filesize
3KB

MD5
64d1b77bb61544c8440363d4374c3c65

SHA1
2925f8f71c44185ceb93939c1dba343e1d77d6d6

SHA256
9d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1

SHA512
f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1

Download Submit
C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin

Filesize
1.7MB

MD5
33ec32822b21688091d34b4773382d00

SHA1
67c9aad4e4e461ffbd38fa345a9bd7a40f4693a9

SHA256
0c7c69255ec2def27e149731680b544fc3c3f5ef8288a0036de9249f2b685465

SHA512
ebdde2f7f5296dc83ad1748a174bd72dc4557f7a65bdbccf84466487e1bea2e4b83110559f7101db10b6e667c6d71db1c764ca232eb3d2a533a5927973a6233f

Download Submit
\Users\Admin\AppData\Local\Temp\Temp3.tmp

Filesize
5KB

MD5
ab65af4349e7c5b0872c8b808d036980

SHA1
414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

SHA256
a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

SHA512
2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

Download Submit